address resolution & reverse

Jim Pazarena bind at ccstores.com
Wed Apr 18 20:37:15 UTC 2001 

May thnaks for your response.. I almost gave up.

After more careful scrutiny, I see that the exact IPs people are trying
to reverse resolve are IPs to which I have do not have direct control over.

Specifically.
    I control the range 209.53.238/24 and it reverse maps fine.
    My web server is remotely located at  64.69.87.111
    I've got the forward reference setup in *my* DNS of
    www.qcislands.net  IN A   64.69.87.111  since I control "qcislands.net"

and the agency hosting my machine has the reverse IP setup in their DNS
since the actual IP addresses are theirs.

Why would *any* server be hitting *my* DNS server for reverse mapping
of 64.69.87.111 ?

I don't have a zone setup for "111.87.69.64.in-addr.arpa" in *my* DNS
because it's not my range.

I've got remote querying of REMOTE IPs denied in my named.conf.

How can I permit remote queries to this specific IP while denying
remote queries of remote IPs in general?

 >Subject: Re: address resolution & reverse
 >Date: Wed, 18 Apr 2001 15:39:08 -0400
 >From: Kevin Darcy <kcd at daimlerchrysler.com>

 >When a client does a "reverse" lookup, i.e. when it wants to map an address
 >back to a name, it takes the address, reverses the octets, and appends
 >in-addr.arpa to it. So, a reverse lookup of 209.53.238.1 actually comes to the
 >nameserver as a query of 1.238.53.209.in-addr.arpa. You need to permit queries
 >of the 238.53.209.in-addr.arpa or 53.209.in-addr.arpa zone (depending on how
 >the reverse address space is delegated) in order to answer those queries.

 >You said that querying 209.53.238.1 works. But the important question is: from
 >*where* did it work? If you queried it from a client that was in your
 >allow-query ACL, then obviously it worked. But apparently it's being denied
 >for other clients. If this turns out to be some sort of ACL problem, then
 >please post your named.conf, otherwise it'll just be guesswork trying to
 >figure out the problem.


 >- Kevin

 >Jim Pazarena wrote:

 >> I have seen "client XX.XX.XX.XX#XXXX: query denied" in my logs, and decided
 >> to investigate it, so I turned on query logging.
 >>
 >> I find that my DNS is denying queries like: 1.238.53.209.in-addr.arpa
 >>
 >> where if you query:  ciu.qcislands.net, it works
 >> and if you query:    209.53.238.1,      it also works
 >>
 >> Is there something I have to do to enable queries of the in-addr.arpa type?
 >> --
--
Jim Pazarena     mailto:paz at ccstores.com

More information about the bind-users mailing list